Privacy Policy

1. Introduction

Koan Media Limited ("we", "us", or "our") respects your privacy. This Privacy Policy explains how we collect, use, store, and share personal and other information when you:

• use our website koanmedia.io (the "Website"); and/or
• use our mobile application Chakratones Healing Sounds (the "App"), published by us.

We are the data controller for processing described here, unless we state that a provider acts as a processor on our instructions.

Scope: This policy covers the Website and the App together. Some processing applies only to the Website or only to the App; we say so where it matters. If you use only the Website or only the App, the sections that apply to you are those that describe that service.

Related policies: Our Cookie Policy describes cookies and similar technologies on the Website. Our Terms of Use govern use of the Website and, where applicable, the App.

2. Information We Collect

2.1 Information you provide (Website and contact)

• Contact and identity: Name, email address, phone number, and any other details you choose to send when you contact us via the Website, email, or other channels.
• Business information: Information you provide in a business or professional context.
• Any other content you voluntarily provide (e.g. message text).

2.2 Information collected automatically (Website)

• Technical and usage data: Such as IP address, browser type, approximate location derived from IP, pages viewed, and time spent, where our hosting or analytics tools collect this.
• Cookies and similar technologies: As described in our Cookie Policy, subject to your choices where consent is required.

2.3 Information collected in or through the App

When you use the App, we and our service providers may process the following categories (non-exhaustive):

• Device and app usage: App opens, sessions, screen or feature usage, coarse diagnostics needed to run the app.
• Analytics and product improvement: Event and usage data to understand how the App is used, where you have consented through our in-app consent flow (see PostHog below and Section 7).
• Error and stability diagnostics: Technical logs, crash or error reports, and device/OS information to identify and fix faults, where you have consented where consent is required (see PostHog below and Section 7).
• Advertising and measurement (AdMob): Data processed by the Google Mobile Ads SDK as described under Advertising — Google AdMob below.
• Subscriptions and purchases: Product identifiers, purchase state, and platform account identifiers processed with RevenueCat and the relevant app store (Apple/Google).
• Account, preferences, and content: Settings, playlists, favourites, and similar data on your device and, if you use sign-in or cloud sync, on our backend systems (Supabase) as described under Cloud and sync — Supabase below.
• Notifications (optional): If you enable notifications, the App may use platform push services — for example Apple Push Notification service (APNs) on iOS and Firebase Cloud Messaging (FCM) or the equivalent Google delivery path on Android. That may involve a push token, device identifiers required by the platform, and delivery metadata. Notifications are optional and depend on your permission and OS settings. Content may include operational or session-related information needed to deliver reminders or updates you have requested.
• Profile or avatar (optional): You may choose an image from your photo library or camera for display in the App; the image is processed for that purpose and may be stored on your device and, if you use cloud sync, on our backend (Supabase) as described below.
• Export and import (optional): You may select files through the system document picker for backup, migration, or data portability where the feature exists; only user-selected files are accessed.
• Local storage and media access: Cached audio and App data live in the App's sandbox. We do not access your full photo library, documents, or other apps' files except through the optional, user-initiated flows above (camera, library, document picker).
• Over-the-air updates: The App may download and apply updates (including JavaScript bundles or assets) via Expo update services; this involves technical metadata such as app version and update checks. See Expo's privacy information.

2.4 Third-party services in the App

Advertising — Google AdMob

We use Google AdMob to serve advertisements in the App. To deliver and measure ads and to help prevent fraud, Google's Mobile Ads SDK may automatically collect and process information, including:

• Network and identifiers: IP address (used to approximate general location, e.g. city or country level); Android Advertising ID or Apple's identifier for advertisers (IDFA) (subject to platform settings and your choices).
• Device information: Device model, operating system version, language, and mobile carrier or network type where available.
• Interaction data: Ad impressions, clicks, and related app usage signals relevant to advertising delivery and fraud prevention.

How Google uses data from apps that use its services is described in Google's documentation, for example: How Google uses information from sites or apps that use our services.

You can control personalised advertising to the extent permitted by your device and the App (e.g. device settings, App Tracking Transparency on iOS, Google Ads settings on Android). In the European Economic Area (EEA), United Kingdom, and Switzerland, we use Google's consent management as part of AdMob: a Google-certified consent management platform (CMP) (Google's User Messaging Platform, UMP) to obtain and record consent for processing related to advertising where required by law. You can review or change choices in the App's privacy or consent settings when available.

Affiliate and partner marketing — GoMarketMe

The App uses GoMarketMe to support affiliate and partner marketing attribution, for example to link installs or purchases to partner campaigns where applicable. GoMarketMe is not used for subscription billing; RevenueCat and the app stores remain the path for purchase validation as described under Subscriptions — RevenueCat below.

Affiliate partners (separate from end users of the App): Businesses or individuals who take part in our affiliate or partner programme must register with GoMarketMe and agree to GoMarketMe's terms (and any other requirements GoMarketMe sets) before they can use GoMarketMe's partner-facing side of the service or receive attribution through that platform. That registration and contract is between the partner and GoMarketMe.

App users and attribution: As an app user, your information may be processed in connection with affiliate attribution so that installs or qualifying actions (such as purchases) can be matched to partner campaigns where applicable. GoMarketMe may receive or generate technical identifiers, install or conversion signals, app- or purchase-related events, and device or app metadata for that purpose, as set out in GoMarketMe's privacy policy. Processing is carried out in accordance with GoMarketMe's documentation and our arrangements with them. For details of retention, international processing, and any opt-out or limitation options GoMarketMe offers, see their policy.

Analytics and error reporting — PostHog

We use PostHog to analyse how the App is used and to detect, diagnose, and fix errors (including crashes and performance issues). Our PostHog configuration collects:

• Usage events (e.g. navigation or feature usage) and technical metadata (e.g. device type, OS version, app version).
• Error and diagnostic events necessary to reproduce or fix bugs.

We use PostHog only where permitted by your consent choices in the App where consent is required. We configure PostHog to minimise unnecessary personal data; some data may still be pseudonymous (e.g. identifiers tied to an installation or device). We do not use PostHog to sell your personal information.

Subscriptions — RevenueCat

If you subscribe or make in-app purchases, RevenueCat and the relevant app store (Apple App Store or Google Play) process information needed to validate purchases, restore access, manage subscription state, and prevent fraud. That may include transaction identifiers and app-user identifiers as defined by those platforms. The App may also use additional store billing APIs alongside RevenueCat only for purchase validation, restoration, or compatibility with platform requirements; payment processing remains through Apple, Google, and RevenueCat as described here.

Cloud and sync — Supabase

If you sign in or use features that sync data across devices, Supabase stores and processes preferences, playlists, account-related data, and similar content on our behalf. Processing is governed by our agreements with the provider and this policy.

3. How We Use Information

We use information for the following purposes, as applicable:

• Provide and operate the Website and App — Performance of a contract; legitimate interests; consent where required.
• Respond to enquiries and support — Legitimate interests; performance of a contract.
• Improve the Website and App — Legitimate interests; consent for optional analytics/ads where required.
• Serve and measure ads (AdMob) — Consent in the EEA/UK/CH where required; legitimate interests elsewhere only where lawful.
• Analytics and error diagnostics (PostHog) — Consent where required; legitimate interests for strictly necessary security/stability where lawful.
• Manage subscriptions and payments — Performance of a contract.
• Affiliate and partner marketing (GoMarketMe) — To attribute installs or purchases to partner campaigns as described under Affiliate and partner marketing — GoMarketMe above. The lawful basis we rely on for processing app users' information in connection with that attribution (which may be legitimate interests, consent, or a combination, depending on your jurisdiction and the nature of the processing) is the one that applies under applicable law and our legal advice.
• Comply with law and enforce our terms — Legal obligation; legitimate interests.

We do not sell your personal information in the conventional sense of "sale" for money. Advertising uses may involve sharing data with ad partners as described under Advertising — Google AdMob above and Google's policies. GoMarketMe is separate from Google's advertising consent (UMP/CMP) in Section 7. Partner registration with GoMarketMe is governed by GoMarketMe's terms with those partners, as described under Affiliate and partner marketing — GoMarketMe above.

4. International Transfers

Some of our providers (including Google, PostHog, RevenueCat, Supabase, and GoMarketMe) may process data in the United Kingdom, European Economic Area, United States, or other countries. Where we transfer personal data outside the UK/EEA, we rely on appropriate safeguards (such as the UK International Data Transfer Agreement / Addendum, or EU Standard Contractual Clauses, as appropriate) where required by law.

5. Data Retention

• Website: Contact and enquiry data are kept for as long as needed to handle your request and for a reasonable period afterwards (including for legal claims).
• App: App and account data are kept while your account is active or as needed to provide the service.
• Third parties: AdMob, PostHog, RevenueCat, Supabase, and GoMarketMe apply their own retention periods; we configure retention where practicable and in line with this policy.

When we no longer need personal data, we delete or anonymise it subject to legal or regulatory retention requirements.

6. Your Rights

If you are in the United Kingdom, the EEA, or Switzerland, you have rights under applicable data protection law, which may include:

• Access your personal data.
• Rectify inaccurate data.
• Erase your data in certain circumstances.
• Restrict processing in certain circumstances.
• Object to processing based on legitimate interests (including profiling where applicable).
• Data portability for data you provided to us, where processing is automated and based on consent or contract.
• Withdraw consent at any time, where consent is the legal basis (see also Section 7 for advertising consent).

Complaints: If you are in the UK, you may lodge a complaint with the ICO (Information Commissioner's Office). If you are in the EEA, you may contact your local data protection supervisory authority. If you are in Switzerland, you may contact the Federal Data Protection and Information Commissioner (FDPIC), as applicable.

To exercise rights, contact us at hello@koanmedia.io. We may need to verify your identity before responding.

7. Advertising Consent (EEA, UK, Switzerland) — AdMob

If you are in the EEA, UK, or Switzerland, regulations (including the GDPR and UK GDPR) may require consent before certain advertising-related processing (including personalised ads and some measurement).

• We use Google's User Messaging Platform (UMP) together with a Google-certified CMP, as provided through Google AdMob, to present consent requests and record choices where required.
• You may withdraw consent or change preferences at any time through in-app privacy or consent settings (and through device-level controls where applicable).
• You may also have rights to access, rectify, delete, or restrict processing of pseudonymous data linked to your device (such as advertising identifiers), subject to exceptions.

Withdrawal of consent does not affect the lawfulness of processing before withdrawal.

8. Age Ratings, Subscriptions, and Who May Use the App

The App is distributed on the Apple App Store and Google Play with age ratings set by us in line with each store's rules. Those ratings reflect the nature of the App and the fact that in-app purchases and subscriptions are available (including where applicable age or parental requirements for payments are determined by the store and by law).

Purchases and subscriptions are processed by the relevant app store and our payment/subscription providers as described in this policy. Eligibility to enter into a binding contract for subscriptions is governed by applicable law and the store's terms; we do not rely on this Privacy Policy to replace those requirements.

9. Security

We implement appropriate technical and organisational measures to protect personal information against unauthorised access, alteration, disclosure, or destruction. No method of transmission or storage is completely secure; we use reasonable industry practices.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will post the updated version on koanmedia.io/privacy and change the "Last updated" date. Material changes may require additional notice under app store rules or law; we will comply with those requirements.

11. Contact Us

If you have questions about this Privacy Policy, please contact us:

Koan Media Limited
Suite 6979, Unit 3A
34-35 Hatton Garden
Holborn, London EC1 8DX
United Kingdom

Company number: 16906778 (England & Wales)

Email: hello@koanmedia.io

For questions about this policy, AdMob, or your data, use the email above.